Network Security Fundamentals
Security is not an afterthought; it is built into the network design. From firewalls to VPNs, defense in depth is key.
1. The CIA Triad
Every security decision balances these three pillars:
- Confidentiality: Only authorized users can read the data. (Encryption, VPNs).
- Integrity: The data has not been altered in transit. (Hashing, HMAC).
- Availability: The system is accessible when needed. (DDoS protection, Redundancy).
2. Firewalls: Packet Filtering vs Stateful
A firewall sits at the perimeter (or internally) to enforce policy.
- Stateless (ACLs): Inspects each packet in isolation. Fast but "dumb". Cannot tell if a packet is part of an established connection.
- Stateful Inspection (SPI): Tracks the state of active connections in a session table.
- If a client sends a SYN (outbound), the firewall dynamically permits the return SYN-ACK (inbound).
- Next-Gen Firewall (NGFW): Deep Packet Inspection (DPI). Looks at Layer 7 (Application) to block specific URLs, malware, or app behaviors regardless of port.
Standard vs Extended ACLs (Cisco Syntax)
| Type | Range | Features | Placement |
|---|---|---|---|
| Standard | 1-99 | Source IP only. | Close to Destination. |
| Extended | 100-199 | Source, Destination, Protocol, Port. | Close to Source (Drop early). |
3. VPNs (Virtual Private Networks)
VPNs extend a private network across a public network (Internet) using tunneling (GRE/IPsec) and encryption.
Phase 1 (IKE SA): Authenticate peers (Pre-Shared Key / Certs) and negotiate encryption for the management channel. (UDP 500).
Phase 2 (IPsec SA): Negotiate encryption for the actual data traffic (ESP/AH). (Protocol 50).
Troubleshooting Tip: "Phase 1 is up, Phase 2 is down" usually means a mismatch in the crypto map (ACLs or Transform Sets).
4. Common Network Attacks
- MITM (Man-in-the-Middle): Attacker intercepts traffic. (e.g., ARP Spoofing). Mitigation: Dynamic ARP Inspection (DAI).
- DoS / DDoS: Flooding a target with traffic. (e.g., SYN Flood). Mitigation: Rate Limiting, Scrubbing Centers.
- Spoofing: Faking a Source IP. Mitigation: uRPF (Unicast Reverse Path Forwarding).
Test Your Security Knowledge
Think you know your firewalls from your VPNs? Take the quiz to find out.
Start Security Quiz →References
- RFC 4301: Security Architecture for the Internet Protocol - The foundation of IPsec (AH/ESP).
- NIST SP 800-41: Guidelines on Firewalls and Firewalls Policy - Standard guide on stateful vs stateless inspection.
- RFC 3704: Ingress Filtering for Multihomed Networks (uRPF) - Best practices for preventing IP Spoofing.